doxygen/pbes2_8cpp_source.html

/*

* PKCS #5 PBES2

* (C) 1999-2008,2014,2021 Jack Lloyd

* (C) 2018 Ribose Inc

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/internal/pbes2.h>

#include <botan/cipher_mode.h>

#include <botan/pwdhash.h>

#include <botan/der_enc.h>

#include <botan/ber_dec.h>

#include <botan/internal/parsing.h>

#include <botan/internal/fmt.h>

#include <botan/asn1_obj.h>

#include <botan/rng.h>


namespace Botan {


namespace {


bool known_pbes_cipher_mode(std::string_view mode)

   {

   return (mode == "CBC" || mode == "GCM" || mode == "SIV");

   }


secure_vector<uint8_t> derive_key(std::string_view passphrase,

                                  const AlgorithmIdentifier& kdf_algo,

                                  size_t default_key_size)

   {

   if(kdf_algo.oid() == OID::from_string("PKCS5.PBKDF2"))

      {

      secure_vector<uint8_t> salt;

      size_t iterations = 0, key_length = 0;


      AlgorithmIdentifier prf_algo;

      BER_Decoder(kdf_algo.parameters())

         .start_sequence()

         .decode(salt, ASN1_Type::OctetString)

         .decode(iterations)

         .decode_optional(key_length, ASN1_Type::Integer, ASN1_Class::Universal)

         .decode_optional(prf_algo, ASN1_Type::Sequence, ASN1_Class::Constructed,

                          AlgorithmIdentifier("HMAC(SHA-1)",

                                              AlgorithmIdentifier::USE_NULL_PARAM))

         .end_cons();


      if(salt.size() < 8)

         throw Decoding_Error("PBE-PKCS5 v2.0: Encoded salt is too small");


      if(key_length == 0)

         key_length = default_key_size;


      const std::string prf = prf_algo.oid().human_name_or_empty();

      if(prf.empty() || !prf.starts_with("HMAC"))

         {

         throw Decoding_Error(fmt("Unknown PBES2 PRF {}", prf_algo.oid()));

         }


      auto pbkdf_fam = PasswordHashFamily::create_or_throw(fmt("PBKDF2({})", prf));

      auto pbkdf = pbkdf_fam->from_params(iterations);


      secure_vector<uint8_t> derived_key(key_length);

      pbkdf->hash(derived_key, passphrase, salt);

      return derived_key;

      }

   else if(kdf_algo.oid() == OID::from_string("Scrypt"))

      {

      secure_vector<uint8_t> salt;

      size_t N = 0, r = 0, p = 0;

      size_t key_length = 0;


      AlgorithmIdentifier prf_algo;

      BER_Decoder(kdf_algo.parameters())

         .start_sequence()

         .decode(salt, ASN1_Type::OctetString)

         .decode(N)

         .decode(r)

         .decode(p)

         .decode_optional(key_length, ASN1_Type::Integer, ASN1_Class::Universal)

         .end_cons();


      if(key_length == 0)

         key_length = default_key_size;


      secure_vector<uint8_t> derived_key(key_length);


      auto pwdhash_fam = PasswordHashFamily::create_or_throw("Scrypt");

      auto pwdhash = pwdhash_fam->from_params(N, r, p);

      pwdhash->hash(derived_key, passphrase, salt);


      return derived_key;

      }

   else

      {

      throw Decoding_Error(fmt("PBE-PKCS5 v2.0: Unknown KDF algorithm {}", kdf_algo.oid()));

      }

   }


secure_vector<uint8_t> derive_key(std::string_view passphrase,

                                  std::string_view digest,

                                  RandomNumberGenerator& rng,

                                  size_t* msec_in_iterations_out,

                                  size_t iterations_if_msec_null,

                                  size_t key_length,

                                  AlgorithmIdentifier& kdf_algo)

   {

   const secure_vector<uint8_t> salt = rng.random_vec(12);


   if(digest == "Scrypt")

      {

      auto pwhash_fam = PasswordHashFamily::create_or_throw("Scrypt");


      std::unique_ptr<PasswordHash> pwhash;


      if(msec_in_iterations_out)

         {

         const std::chrono::milliseconds msec(*msec_in_iterations_out);

         pwhash = pwhash_fam->tune(key_length, msec);

         }

      else

         {

         pwhash = pwhash_fam->from_iterations(iterations_if_msec_null);

         }


      secure_vector<uint8_t> key(key_length);

      pwhash->hash(key, passphrase, salt);


      const size_t N = pwhash->memory_param();

      const size_t r = pwhash->iterations();

      const size_t p = pwhash->parallelism();


      if(msec_in_iterations_out)

         *msec_in_iterations_out = 0;


      std::vector<uint8_t> scrypt_params;

      DER_Encoder(scrypt_params)

         .start_sequence()

            .encode(salt, ASN1_Type::OctetString)

            .encode(N)

            .encode(r)

            .encode(p)

            .encode(key_length)

         .end_cons();


      kdf_algo = AlgorithmIdentifier(OID::from_string("Scrypt"), scrypt_params);

      return key;

      }

   else

      {

      const std::string prf = fmt("HMAC({})", digest);

      const std::string pbkdf_name = fmt("PBKDF2({})", prf);


      auto pwhash_fam = PasswordHashFamily::create(pbkdf_name);

      if(!pwhash_fam)

         {

         throw Invalid_Argument(fmt("Unknown password hash digest {}", digest));

         }


      std::unique_ptr<PasswordHash> pwhash;


      if(msec_in_iterations_out)

         {

         const std::chrono::milliseconds msec(*msec_in_iterations_out);

         pwhash = pwhash_fam->tune(key_length, msec);

         }

      else

         {

         pwhash = pwhash_fam->from_iterations(iterations_if_msec_null);

         }


      secure_vector<uint8_t> key(key_length);

      pwhash->hash(key, passphrase, salt);


      std::vector<uint8_t> pbkdf2_params;


      const size_t iterations = pwhash->iterations();


      if(msec_in_iterations_out)

         *msec_in_iterations_out = iterations;


      DER_Encoder(pbkdf2_params)

         .start_sequence()

            .encode(salt, ASN1_Type::OctetString)

            .encode(iterations)

            .encode(key_length)

            .encode_if(prf != "HMAC(SHA-1)",

                       AlgorithmIdentifier(prf, AlgorithmIdentifier::USE_NULL_PARAM))

         .end_cons();


      kdf_algo = AlgorithmIdentifier("PKCS5.PBKDF2", pbkdf2_params);

      return key;

      }

   }


/*

* PKCS#5 v2.0 PBE Encryption

*/

std::pair<AlgorithmIdentifier, std::vector<uint8_t>>

pbes2_encrypt_shared(std::span<const uint8_t> key_bits,

                     std::string_view passphrase,

                     size_t* msec_in_iterations_out,

                     size_t iterations_if_msec_null,

                     std::string_view cipher,

                     std::string_view prf,

                     RandomNumberGenerator& rng)

   {

   auto enc = Cipher_Mode::create(cipher, Cipher_Dir::Encryption);


   const auto cipher_spec = split_on(cipher, '/');


   if(cipher_spec.size() != 2 || !known_pbes_cipher_mode(cipher_spec[1]) || !enc)

      {

      throw Encoding_Error(fmt("PBE-PKCS5 v2.0: Invalid or unavailable cipher '{}'", cipher));

      }


   const size_t key_length = enc->key_spec().maximum_keylength();


   const secure_vector<uint8_t> iv = rng.random_vec(enc->default_nonce_length());


   AlgorithmIdentifier kdf_algo;


   const secure_vector<uint8_t> derived_key =

      derive_key(passphrase, prf, rng,

                 msec_in_iterations_out, iterations_if_msec_null,

                 key_length, kdf_algo);


   enc->set_key(derived_key);

   enc->start(iv);

   secure_vector<uint8_t> ctext(key_bits.begin(), key_bits.end());

   enc->finish(ctext);


   std::vector<uint8_t> encoded_iv;

   DER_Encoder(encoded_iv).encode(iv, ASN1_Type::OctetString);


   std::vector<uint8_t> pbes2_params;

   DER_Encoder(pbes2_params)

      .start_sequence()

      .encode(kdf_algo)

      .encode(AlgorithmIdentifier(cipher, encoded_iv))

      .end_cons();


   AlgorithmIdentifier id(OID::from_string("PBE-PKCS5v20"), pbes2_params);


   return std::make_pair(id, unlock(ctext));

   }


}


std::pair<AlgorithmIdentifier, std::vector<uint8_t>>

pbes2_encrypt(std::span<const uint8_t> key_bits,

              std::string_view passphrase,

              std::chrono::milliseconds msec,

              std::string_view cipher,

              std::string_view digest,

              RandomNumberGenerator& rng)

   {

   size_t msec_in_iterations_out = static_cast<size_t>(msec.count());

   return pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);

   // return value msec_in_iterations_out discarded

   }


std::pair<AlgorithmIdentifier, std::vector<uint8_t>>

pbes2_encrypt_msec(std::span<const uint8_t> key_bits,

                   std::string_view passphrase,

                   std::chrono::milliseconds msec,

                   size_t* out_iterations_if_nonnull,

                   std::string_view cipher,

                   std::string_view digest,

                   RandomNumberGenerator& rng)

   {

   size_t msec_in_iterations_out = static_cast<size_t>(msec.count());


   auto ret = pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);


   if(out_iterations_if_nonnull)

      *out_iterations_if_nonnull = msec_in_iterations_out;


   return ret;

   }


std::pair<AlgorithmIdentifier, std::vector<uint8_t>>

pbes2_encrypt_iter(std::span<const uint8_t> key_bits,

                   std::string_view passphrase,

                   size_t pbkdf_iter,

                   std::string_view cipher,

                   std::string_view digest,

                   RandomNumberGenerator& rng)

   {

   return pbes2_encrypt_shared(key_bits, passphrase, nullptr, pbkdf_iter, cipher, digest, rng);

   }


secure_vector<uint8_t>

pbes2_decrypt(std::span<const uint8_t> key_bits,

              std::string_view passphrase,

              const std::vector<uint8_t>& params)

   {

   AlgorithmIdentifier kdf_algo, enc_algo;


   BER_Decoder(params)

      .start_sequence()

         .decode(kdf_algo)

         .decode(enc_algo)

      .end_cons();


   const std::string cipher = enc_algo.oid().human_name_or_empty();

   const auto cipher_spec = split_on(cipher, '/');

   if(cipher_spec.size() != 2 || !known_pbes_cipher_mode(cipher_spec[1]))

      {

      throw Decoding_Error(fmt("PBE-PKCS5 v2.0: Unknown/invalid cipher OID {}", enc_algo.oid()));

      }


   secure_vector<uint8_t> iv;

   BER_Decoder(enc_algo.parameters()).decode(iv, ASN1_Type::OctetString).verify_end();


   auto dec = Cipher_Mode::create(cipher, Cipher_Dir::Decryption);

   if(!dec)

      {

      throw Decoding_Error(fmt("PBE-PKCS5 cannot decrypt no cipher '{}'", cipher));

      }


   dec->set_key(derive_key(passphrase, kdf_algo, dec->key_spec().maximum_keylength()));


   dec->start(iv);


   secure_vector<uint8_t> buf(key_bits.begin(), key_bits.end());

   dec->finish(buf);


   return buf;

   }


}

Botan::AlgorithmIdentifier
Definition: asn1_obj.h:462

Botan::AlgorithmIdentifier::parameters
const std::vector< uint8_t > & parameters() const
Definition: asn1_obj.h:478

Botan::AlgorithmIdentifier::USE_NULL_PARAM
@ USE_NULL_PARAM
Definition: asn1_obj.h:464

Botan::AlgorithmIdentifier::oid
const OID & oid() const
Definition: asn1_obj.h:477

Botan::BER_Decoder
Definition: ber_dec.h:22

Botan::BER_Decoder::decode
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:193

Botan::BER_Decoder::verify_end
BER_Decoder & verify_end()
Definition: ber_dec.cpp:211

Botan::BER_Decoder::end_cons
BER_Decoder & end_cons()
Definition: ber_dec.cpp:304

Botan::BER_Decoder::start_sequence
BER_Decoder start_sequence()
Definition: ber_dec.h:117

Botan::Cipher_Mode::create
static std::unique_ptr< Cipher_Mode > create(std::string_view algo, Cipher_Dir direction, std::string_view provider="")
Definition: cipher_mode.cpp:50

Botan::Decoding_Error
Definition: exceptn.h:197

Botan::OID::human_name_or_empty
std::string human_name_or_empty() const
Definition: asn1_oid.cpp:128

Botan::OID::from_string
static OID from_string(std::string_view str)
Definition: asn1_oid.cpp:78

Botan::PasswordHashFamily::create_or_throw
static std::unique_ptr< PasswordHashFamily > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition: pwdhash.cpp:118

Botan::PasswordHashFamily::create
static std::unique_ptr< PasswordHashFamily > create(std::string_view algo_spec, std::string_view provider="")
Definition: pwdhash.cpp:50

Botan::RandomNumberGenerator
Definition: rng.h:31

Botan
Definition: alg_id.cpp:12

Botan::ASN1_Class::Universal
@ Universal

Botan::ASN1_Class::Constructed
@ Constructed

Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition: fmt.h:60

Botan::ASN1_Type::OctetString
@ OctetString

Botan::ASN1_Type::Sequence
@ Sequence

Botan::ASN1_Type::Integer
@ Integer

Botan::split_on
std::vector< std::string > split_on(std::string_view str, char delim)
Definition: parsing.cpp:117

Botan::pbes2_encrypt_iter
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_iter(std::span< const uint8_t > key_bits, std::string_view passphrase, size_t pbkdf_iter, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
Definition: pbes2.cpp:283

Botan::pbes2_decrypt
secure_vector< uint8_t > pbes2_decrypt(std::span< const uint8_t > key_bits, std::string_view passphrase, const std::vector< uint8_t > &params)
Definition: pbes2.cpp:294

Botan::unlock
std::vector< T > unlock(const secure_vector< T > &in)
Definition: secmem.h:77

Botan::Cipher_Dir::Decryption
@ Decryption

Botan::Cipher_Dir::Encryption
@ Encryption

Botan::pbes2_encrypt_msec
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_msec(std::span< const uint8_t > key_bits, std::string_view passphrase, std::chrono::milliseconds msec, size_t *out_iterations_if_nonnull, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
Definition: pbes2.cpp:264

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:64

Botan::pbes2_encrypt
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt(std::span< const uint8_t > key_bits, std::string_view passphrase, std::chrono::milliseconds msec, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
Definition: pbes2.cpp:251